Re: Iptables WireGuard obfuscation extension

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Roman Mamedov <rm@romanrm.net>
To: Wei Chen <weichen302@zoho.com>
Cc: "wireguard" <wireguard@lists.zx2c4.com>
Subject: Re: Iptables WireGuard obfuscation extension
Date: Wed, 28 Sep 2022 16:33:56 +0500	[thread overview]
Message-ID: <20220928163356.183baef9@nvm> (raw)
In-Reply-To: <183272e3203.12ada1173180167.8469340361616836666@zoho.com>

On Sat, 10 Sep 2022 06:34:42 -0500
Wei Chen <weichen302@zoho.com> wrote:

> Hi,
> 
> Jason once suggested use a netfilter module for obfuscation[1]. Here is one.
> 
> https://github.com/infinet/xt_wgobfs
> 
> It uses SipHash 1-2 to generate pseudo-random numbers in a reproducible way.
> Sender and receiver share a siphash secret key. Sender creates and receiver
> re-creates identical siphash output, if input is same. These siphash outputs
> are used for obfuscation.
> 
> - The first 16 bytes of WG message is obfuscated.
> - The mac2 field is also obfuscated if it is all zeros.
> - Padding WG message with random bytes, which also has random length. They are
>   from kernel get_random_bytes_wait() though.
> - Drop 80% of keepalive message at random. Again randomness is from kernel.
> - Change the Diffserv field to zero.
> 
> Tested working on Alpine linux kernel 5.15 and CentOS 7 kernel 3.10.
> 
> Performance test in two Alpine VMs running on same host. Each VM has 1 CPU and
> 256 MB RAM. Iperf3 results 1.1Gbits/s without,vs 860Mbits/s with obfuscation.

Hello,

Are you the author, so we can ask questions about it?

The "Usage" section speaks of "server" and "client". However in the WG world
there's not really a server or client per se, but all WG network members are
peers. As such, is it possible to propose an universal set of iptables rules
that would be fine to use on any network node?

As I understand, all INPUT packets to our local --dport need to be --unobfs,
and all OUTPUT packets from us to any other node need to be --obfs. Right?

-- 
With respect,
Roman

next prev parent reply	other threads:[~2022-09-28 11:34 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-10 11:34 Iptables WireGuard obfuscation extension Wei Chen
2022-09-28 11:33 ` Roman Mamedov [this message]
2022-10-02 23:13   ` Wei Chen
2022-09-28 16:35 ` Jason A. Donenfeld
2022-09-28 18:17   ` Jean-Philippe Aumasson
2022-10-02 23:35   ` Wei Chen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220928163356.183baef9@nvm \
    --to=rm@romanrm.net \
    --cc=weichen302@zoho.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.